Re: [IPsec] Fw: Preshared key authentication in IKEv2

To: "Valery Smyslov" <svanru at gmail.com>
Subject: Re: [IPsec] Fw: Preshared key authentication in IKEv2
From: Tero Kivinen <kivinen at iki.fi>
Date: Mon, 2 Nov 2009 16:43:43 +0200
Cc: ipsec at ietf.org, Paul Hoffman <paul.hoffman at vpnc.org>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <1A567F18E9E144989D2F06830DB24CC6 at trustworks.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <82DFB96E88E54DE98E9B6B5F766C3EB8 at trustworks.com> <p06240896c710cc6eae34 at [10.20.30.158]> <19182.59664.628328.76563 at fireball.kivinen.iki.fi> <1A567F18E9E144989D2F06830DB24CC6 at trustworks.com>

Valery Smyslov writes:
> Hi Paul and Tero,
> 
> thank you for your answers.
> 
> > > The PRF (or set of PRFs) is known by the receiving party. If the two
> > > parties always only use one PRF, it is known. The padding is not a
> > > universal solution for the reasons you give, but it works in the
> > > common case of peers who know each other's crypto choices.
> >
> > As Paul said recipient knows which algorithms it support, and it can
> 
> Sometimes it doesn't. I refer to implementations with pluggable
> crypto, when crypto providers are separated from IKE implementation
> and can be added/removed later.

Then you need to store the original shared key not the hashed version
of it.
-- 
kivinen at iki.fi

References:
- [IPsec] Fw: Preshared key authentication in IKEv2
  - From: Valery Smyslov
- Re: [IPsec] Fw: Preshared key authentication in IKEv2
  - From: Paul Hoffman
- Re: [IPsec] Fw: Preshared key authentication in IKEv2
  - From: Tero Kivinen
- Re: [IPsec] Fw: Preshared key authentication in IKEv2
  - From: Valery Smyslov

Prev by Date: Re: [IPsec] Fw: Preshared key authentication in IKEv2
Next by Date: Re: [IPsec] [multipathtcp] IPsec multihoming and mobility
Previous by thread: Re: [IPsec] Fw: Preshared key authentication in IKEv2
Next by thread: [IPsec] Protocol Action: 'IKEv2 Session Resumption' to Proposed Standard
Index(es):
- Date
- Thread

Re: [IPsec] Fw: Preshared key authentication in IKEv2

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.